Snort mailing list archives
Re: DNS Reverse Shell sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 04 Feb 2015 14:09:21 -0700
On 2015-02-04 02:06 PM, Dave Killion wrote:
The initial letter
before the dash is part of the "label" (that 0x3A is measuring) so yes - the fact you're counting 58 bytes total (between the character class, the dash, and your pcre string) means you'll match on 0x3A all the time.
In fact, you could probably remove the last pcre check entirely,
since doing that 0x3A check will perform the byte-count for you...
-Dave
On Wed Feb 04 2015 at 1:02:37 PM James Lay
<jlay () slave-tothe-box net [9]> wrote:
On 2015-02-04 01:29 PM,
rmkml wrote:
Thx James for sharing, Length is always the
same, add 0x3A (dns length) like this ?
Add "-" for better
performance ?
modify pcre to use relative?alert udp
$HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS
Shell";
content:"|01 00 00 01 00 00 00 00 00 00 3A|"; depth:11;
offset:2;
fast_pattern; content:"-"; within:1; distance:1;
pcre:"/^[a-z0-9]{56}/Ri";
reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html [1];
classtype:bad-unknown; sid:10000150; rev:2;)Best
Regards
@Rmkml On Wed, 4 Feb 2015, James Lay
wrote:
In my testing of
http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html [2] I
noticed that during the reverse shell session a semi-constant
showed
up...namely a character followed by a dash, followed by 56
other
characters. Pretty sure this could be changed in the python
code, but
this will catch this in it's current form. It will not
fire on each
and every dns query, but will most likely fire at
least during the
session. alert udp $HOME_NET any ->
any 53 (msg:"Possible Python Reverse DNS
Shell"; content:"|01 00
00 01 00 00 00 00 00 00|"; depth:10; offset:2;
fast_pattern;
pcre:"/[a-z]-[a-z0-9]{56}/i";
reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html [3];
classtype:bad-unknown; sid:10000150; rev:1;)
This WILL most likely FP if you're looking for a domain that matches
the above style, but I couldn't find any such domain in my logs. Enjoy.JamesThat's a good idea..would that still
catch the initial "[a-zA-Z]-" at
the start though? Or just the
"-[a-z0-9]{56}"...thanks RM!
James
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with
Slashdot Media, is your
hub for all things parallel software
development, from weekly thought
leadership blogs to news, videos,
case studies, tutorials and more. Take a
look and join the
conversation now. http://goparallel.sourceforge.net/ [4]
_______________________________________________
Snort-sigs mailing
list
Snort-sigs () lists sourceforge net [5]
https://lists.sourceforge.net/lists/listinfo/snort-sigs [6]
http://www.snort.org [7]
Please visit http://blog.snort.org [8]
for the latest news about Snort! Awesome....thanks for the education on this! James Links: ------ [1] http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html [2] http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html [3] http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html [4] http://goparallel.sourceforge.net/ [5] mailto:Snort-sigs () lists sourceforge net [6] https://lists.sourceforge.net/lists/listinfo/snort-sigs [7] http://www.snort.org [8] http://blog.snort.org [9] mailto:jlay () slave-tothe-box net
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- DNS Reverse Shell sig James Lay (Feb 04)
- Re: DNS Reverse Shell sig rmkml (Feb 04)
- Re: DNS Reverse Shell sig James Lay (Feb 04)
- <Possible follow-ups>
- Re: DNS Reverse Shell sig Dave Killion (Feb 04)
- Re: DNS Reverse Shell sig James Lay (Feb 04)
- Re: DNS Reverse Shell sig rmkml (Feb 04)